What is the Embed Policy Option for Symantec Encryption Desktop Configured Installations?
search cancel

What is the Embed Policy Option for Symantec Encryption Desktop Configured Installations?


Article ID: 153203


Updated On:


Drive Encryption Encryption Management Server


Symantec Encryption Desktop Managed Installs with the Embed policy option


With the Preset Policy Group option, it is possible to select to embed policy and license information into the installer to force the clients to be disconnected from the Symantec Encryption Management Server. If this is done, there is no connection between the client and the Symantec Encryption Management Server. The client never receives any updated policy information from the Symantec Encryption Management Server, even if the policy is updated on the server side Policy information normally downloaded during installation is instead embedded in the installer itself. The Organization Key and ADK, however are not included in embedded policies. This option is useful for Symantec Drive Encryption-only deployments, which cannot connect again to the Symantec Encryption Management Server. If a Symantec Drive Encryption deployment never connects to the Symantec Encryption Management Server, Whole Disk Recovery Tokens, along with other policy features may not be used. 

NOTE: This option is not recommended for other Symantec Encryption Desktop deployments and caution should be exercised when considering this option as many product features do not work in this mode.  Instead, consider enrolling a Drive Encryption-Only client at least one time so a recovery token is available.  If the client never communicates with the server again, the client will continue to function as long as the license number being used never expires.

Tip: If you have clients that need to be encrypted with Drive Encryption and will never communicate with the PGP server, we recommend using "Symantec Endpoint Encryption" (as no recovery tokens will be available in this mode), which can encrypt a system and uses "Connectionless" recovery.  In Connectionless Recovery, the SEE client can encrypt the hard drive, and even if it never communicates with the Encryption Server, a recovery key can be provided to unlock the machine.  Symantec Endpoint Encryption is "machine based", whereas PGP is "User Based".  If you own a license for PGP Drive Encryption, you are entitled to use the SEE Drive Encryption.  Reach out to Symantec Enterprise Support for further assistance on this.   For a Product comparison of SEE VS PGP, see the following article: 151074 - Symantec Endpoint Encryption and PGP Encryption Solutions Comparison


Special consideration should be given when using the Embed Policy option as some functionality is not available when using this feature as listed below: 

  • Whole Disk Recovery Tokens are not supported because the Symantec Drive Encryption client does not communicate with the Symantec Encryption Management Server.
  • Key Reconstruction data is also not available as this data needs to be synchronized to the SEMS.
  • Server managed keys such as Guarded Key Mode (GKM), Server-Client Key Mode (SCKM), and Server Key Mode (SKM) are not supported as these key modes require communication with the SEMS. Because no SEMS Server-managed keys can be used, this makes recovery of keys difficult or not possible (It is possible to export the private portion of a key after it has been created and upload to the SEMS, however this is a manual process and is no longer managed automatically).
  • No Additional Decryption Keys (ADKs) will be included and are not supported when using the Embed policy option.
  • Email encryption is also unsupported when using the Embed policy option.
  • If a license number has been used with the Embed policy option and enables Email Encryption, problems will occur when attempting to send email as the rules are not followed properly that are applicable to the server (Embed policy is for Symantec Drive Encryption Only).


Note: The Embed Policy option is for Windows only.  This feature is not intended to be used for Linux or Mac OSX.  The Embed option is grayed out when attempting to download from the PGP Universal Server for Linux or Mac operating systems.  A feature request has been logged for this functionality and can be viewed in article TECH197036.


Creating a Managed Symantec Drive Encryption Installation with Embedded Policy

  1. Login to the SEMS
  2. Click Consumers, then Consumer Policy. 
  3. Either create a new Consumer Policy, or click on the applicable Consumer Policy to be modified for the Symantec Drive Encryption-Only client. 
  4. Once Selected, click "Desktop..." within the "Symantec Encryption Desktop" section, this will open all the policy options.
  5. Under the General tab, make sure the option "Automatically set up Key Reconstruction" is unchecked.  
  6. Under Messaging & Keys, make sure "Email Messaging" is unchecked.
  7. Under Drive Encryption, make sure "Enable Whole Disk Recovery Tokens" is unchecked.
  8. WDE Admin Passphrase and WDE Admin Keys are supported with the Embed Policy option and can be enabled in policy.
  9. Save all the changes for the Desktop settings.
  10. Next, Click on "Edit" under the "Keys" section of the Consumer Policy. 
  11. Under Management, make sure "CKM" is the only option selected. 
  12. Click Save to save these options.
  13. Next, under Consumer Policy, select "Groups", and click "Downloads Client..."
  14. Check the Customize box, select Preset Policy Group, and check the box "Embed policy and license...".
  15. In the "Symantec Encryption Server field, either change the hostname in this field to one that does not exist so that the client will not contact the Server, or ensure the client will not have communication to the existing Symantec Encryption Management Server in any way.
  16. Leave the Mail Server Binding empty as this will also cause the Embed policy to fail. 
  17. Click Download. When installing, there should be a prompt confirming a locally embedded administrator preference will be used. If this does not occur, the configured install should be re-created following the steps outlined above.


Changing Symantec Encryption Desktop configured client Policies 


Note: If there is a requirement to install a new Symantec Encryption Desktop configured client with the Embed option, or a Standard configured client that must contact a Symantec Encryption Management Server, be sure to delete the PGP preferences (both Embedded and Standard preference files) that are left behind as these files will interfere with the new installation and will use old settings.

PGP Preference files for Windows XP

Embedded Preference file: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Documents and Settings\User Account\Application Data\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml

PGP Preference files for Windows 7\8:

Embedded Preference file:
C:\ProgramData\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Users\User Account\AppData\Roaming\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml

Delete the PGP preference files after PGP has been uninstalled as these files are re-created once PGP has been run again, so make sure they are removed after the uninstall has completed. 



Errors caused by the Embed policy option 

If the Embed policy option has been used during the creation of a Standard configured PGP Desktop installation that must contact a PGP Universal Server, the enrollment process will not work properly and the error "Unable to connect to configuration server" can occur.

If using a Standard configured PGP Desktop installation and sending Whole Disk Recovery Tokens to the PGP Universal Server is enforced, the error "The administrative server is not available for storing the Whole Disk Recovery Token" will be displayed:

In addition to the errors displayed above, enrolling with LDAP will also be problematic. The Embedded preference policy was not designed to connect to any PGP Universal Servers. Because this connection cannot be established with the PGP Universal Server, an email address prompt will be displayed instead of LDAP credentials during LDAP enrollment.  Enrollment will fail at this point and will display one or more of the errors displayed above.

The solution to the above errors when using a Standard PGP Desktop configured install that must contact a PGP Universal Server is to uninstall the PGP Desktop software, delete the above mentioned preference files (pgpprefs.xml and PGPadmin.xml) and create a new configured installation without the Embed policy option.  To obtain a completely fresh installation, simply delete the PGP Corporation folders located in Application Data (AppData for Windows Vista).

If the intention was to use a configured policy with the Embed option and the PGP Whole Disk client is unable to contact the PGP Universal Server, most likely a valid hostname for the PGP Universal server was used.  This should be changed to an invalid hostname so the PGP Whole Disk client does not attempt to contact the PGP Universal Server. Also, a Mail Server Binding may have been entered. In both cases, a new PGP Desktop configured install should be created with the Embed option.


Note: Symantec Encryption Management Server 3.2 had an issue where the Embed Policy option prevents encrypting a machine.  For more information on this issue and how to resolve, see article TECH192250.


For information on how to convert an Embed Policy client into the standard managed client which communicates with Symantec Encryption Management Server without the need of uninstalling the software, see article TECH149637.